Determining attributes using captured network probe data in a wireless communications system

ABSTRACT

Wireless user device probe data can be used to infer or determine an attribute of a user. The probe data can be captured by a sensor device from probes wirelessly transmitted by the user device to search for wireless access points. The probe data can include network addresses of the wireless access points to which the user device has wirelessly connected. The probe data can also include connection information about wireless links between the user device and the wireless access points. The probe data and a user device identifier can be transmitted to a computing device that can compare the probe data to access point network addresses associated with attributes in an electronic data store to determine an attribute for a user of the user device.

TECHNICAL FIELD

The present disclosure relates generally to wireless communicationsystems and, particularly but not necessarily exclusively, todetermining attributes using network probe data captured by a wirelesssensor device.

BACKGROUND

Wireless communication networks, such as WiFi networks, include accesspoints that can wirelessly communicate with user devices via a wirelesscommunication link. A user device can search for access points andestablish a communication link with a selected access point. The userdevice can store information about the access point for subsequentlyestablishing the communication link with the access point more easily.For example, the user device can transmit a probe to search for theaccess point and automatically include password information to establisha future communication link with the access point. Except for the userdevice, access point probe data is difficult to use because it often isspecific to a particular user device and includes information that isdifficult to interpret and use independent of other data that can beequally difficult to obtain.

SUMMARY

In one example, a sensor device includes a network communications port,a processor, and a memory device. The processor can control datacommunicated through the network communications port. The memoryincludes instructions that are executable by the processor to cause thesensor device to capture probe data from a user device about probeswirelessly transmitted by the user device to search for wireless accesspoints. The probe data includes (i) network addresses of the wirelessaccess points to which the user device has wirelessly connected and (ii)connection information about wireless links between the user device andthe wireless access points. The instructions can also be executable bythe processor to cause the sensor device to transmit the probe data anda user device identifier to a computing device configured to compare theprobe data to access point network addresses associated with attributesin an electronic data store to determine an attribute for a user of theuser device.

In another example, a method includes capturing, by a sensor device,probe data from a user device about probes wirelessly transmitted by theuser device to search for wireless access points. The probe dataincludes (i) network addresses of the wireless access points to whichthe user device has wirelessly connected and (ii) connection informationabout wireless links between the user device and the wireless accesspoints. The method can also include transmitting the probe data and auser device identifier to a computing device configured to compare theprobe data to access point network addresses associated with attributesin an electronic data store to determine an attribute for a user of theuser device.

In another example, a non-transitory computer-readable storage mediumincludes instructions that are executable by a processor to receiveprobe data from a user device about probes wirelessly transmitted by theuser device to search for wireless access points. The probe dataincludes (i) network addresses and physical locations of the wirelessaccess points to which the user device has wirelessly connected and (ii)connection information about wireless links between the user device andthe wireless access points. The instructions can also be executable bythe processor to transmit the probe data and a user device identifier toa computing device configured to compare the probe data to access pointnetwork addresses associated with attributes in an electronic data storeto determine an attribute for a user of the user device.

The details of one or more aspects and examples are set forth in theaccompanying drawings and the description below. Other features andaspects will become apparent from the description, the drawings, and theclaims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of a wireless communication environment in which auser device can wirelessly connect to an access point according to oneexample of the present disclosure.

FIG. 2 is a diagram of a wireless communication environment in which asensor device can capture access point probe data from a user deviceaccording to one example of the present disclosure.

FIG. 3 is a block diagram of a sensor device according to one example ofthe present disclosure.

FIG. 4 is a block diagram of a computing device usable to analyzecaptured access network probe data according to one example of thepresent disclosure.

FIG. 5 is a diagram of an implementation of a sensor device with a blimpaccording to one example of the present disclosure.

FIG. 6 is a diagram of an implementation of a sensor device with a droneaccording to one example of the present disclosure.

FIG. 7 is a data flow diagram for a computing device in generating adata store and analyzing captured probe data with respect to data in thedata store according to one example of the present disclosure.

DETAILED DESCRIPTION

Certain aspects and features of the present disclosure relate to usingprobe data captured from a user device by a sensor device and datastored about access points to infer or determine an attribute for theuser by analyzing the probe data with respect to the data stored aboutthe access points. By using historical access point connectioninformation captured without knowledge of either the user device or theaccess point, an affinity of the user can be inferred based on comparingthe historical access point information with stored, known data aboutaccess points and associated attributes.

In one example, the relative security risk of a user may be inferred ordetermined using the probe data. A sensor device can be positioned in apublic location, for example, and the sensor device can capture probedata wirelessly transmitted by the user device without the user deviceknowing that the sensor device is capturing the probe data. The probedata can be compared to a data store with network addresses of accesspoints or otherwise analyzed to determine whether the user poses asecurity risk. For example, the user may have spent time wirelesslyconnected to access points at locations known to have users of highsecurity risk (e.g., suspected terrorists) or the user may have spent anunusually large amount of time proximate to a security target—e.g.,banks, gathering locations of targeted individuals, etc.—and that isunusual for the user based on the prior access point connections. Alertsand other notifications may be outputted accordingly.

Probe data can include network address (e.g., media access control (MAC)address) of the access point, physical location, name of the accesspoint, etc. Physical location data can be actual location of an accesspoint or data from which a location or an approximate location can bederived solely from the data of using the data and third-party datasources. For example, the physical location data may be an identifierused to search a database of collected SSID and location data tocorrelate the location data to the access point. Probe data can alsoinclude connection information, which can include the date and time atwhich the user device established a wireless link with the particularaccess point and the amount of time that the user device was wirelesslyconnected to the access point or was proximate to the access point. Theamount of time may be an actual amount of time or data from which anamount of time can be derived from, for example, data about repeatedcommunications from the user device in the form of probes or packets asit connects and communicates to a nearby access point.

The sensor device can include an antenna and a demodulator that cancapture radio frequency signals that contain probe data from the userdevice and demodulate the signals to extract the probe data. The sensordevice may also include a telecommunications port and a transmitter thatcan transmit via a telecommunications protocol (e.g., cellular, WiFi,packetization protocols, etc.) the probe data to a processing device forfurther processing. In other example, the sensor device includes aprocessor that can execute an application to analyze the probe data. Thesensor device may be positioned on a utility pole or other stationarystructure, a blimp, a drone, or other mobile structure, or the sensordevice may be implemented in a separate user device that is mobile withthe another user.

In some examples, the probe data are 802.11 probes that are analyzedusing existing data, accumulated learned data, or created metadata, toderive potential affinity among data points. One implementation may befor human surveillance, such as being deployed widely in areas wherepeople congregate and that can aid in early identifying and predictingpotential terrorist activity or other bad actors. Collecting and usingreadily available information and its subsequent analysis may be morepowerful than facial recognition in that a device may disclose a historyof affiliation beyond the current identification and location that canbe derived from facial recognition as a surveillance method. In someaspects, the sensor device may not need to have any special software orhardware to use 802.11 WiFi.

Human security in public places is emerging as a significant concernglobally as malevolent acts are perpetrated on people, most often inlocations where unsuspecting people congregate. Society is looking forways to identify perpetrators, or to assess heightened danger levels,before these acts can be carried out. In many cases, perpetrators havebeen involved in associations with known bad actors and known locations,but there has not been a way to tie together the location of a bad actorwith a location of a concentration of known bad actors in time to takeactions for preventing and mitigating potential bad acts. Using someexamples of the sensor device and data store, a user device's historicalaffiliation may be used to derive relationships that may be predictiveof risk, and provide an opportunity for analysis and potentialpreventive action before a malevolent event or injury occurs.

A sensor device according to some examples can be a hardware device or asoftware instance on an existing device and used to monitor networkprobes (e.g., signals used by a user device to search for connectionswith specific service set identifiers (SSIDs)). The sensor device canthen associate the probe data to a real or representative identifier ofthe probing entity with the collection point (and likely its actuallocation or identity), and communicate that information to a separateprocessing device for collection and comparison to other data todetermine affinity to details of specific interest. The other data canbe of various forms, examples of which include a database of knownSSIDs, a database of interesting SSIDs, a database of derived affinitiesfor known SSIDs (developed and derived from other data sources such asgeo-location). Collecting probe data (e.g., affinity information) andsubsequent comparing the probe data to known information may be used toderive inferences using a variety of logical relationships and dataanalysis. These types of data collections can provide for fast andefficient analysis, potentially permitting rapid identification of riskwith the potential for quick, effective action to prevent bad acts. Thesensor device may be one of multiple sensor devices forming a sensordevice network that can communicate data to a centralized collectionpoint to organize, collect, and store information centrally, whereprocessing speed, storage, and security controls can be available. Inthe case of homeland security or a similar security entity, acentralized location and control over security and secrecy of thedatabase can be an effective deployment strategy. For example, by havingcentralized processing, the sensor device can be relieved from theburden of storage or processing associated with the database andanalysis functions.

One benefit of some examples of the present disclosure is an earlywarning capability, similar in some ways to an IP network's intrusiondetection system or intrusion prevention system that may offer an alertor take an action to prevent an identifiable potential threat. A sensordevice can be deployed as a standalone probe monitoring point, ormultiple points, or be incorporated into a larger surveillancecapability or as a feature of a related network appliance that supports802.11 WiFi. By collecting probe information and associating the probeinformation to specific devices and locations, new relationships may beinferred from the aggregated information. Information aggregation andsubsequent analysis can offer the opportunity to create deeperinferences that may be useful in identifying potential risks andthreats.

Although examples of implementations are described above with respect toinferring or determining security threats, different or additionalattributes about a user of a user device can be inferred or determined.For example, an affinity for the user to frequent certain physicallocations can be used to connect the user to other users that may sharecommon interests or have a business connection. In other examples,business opportunities can be presented to the user based on the user'saffinity for certain physical locations that are associated withbusinesses interested in further deepening a business relationship.Furthermore, access points may be one or more different types of accesspoints. Examples include WiFi access points, Bluetooth® access points,ZigBee access points, etc.

Detailed descriptions of certain examples are discussed below. Theseillustrative examples are given to introduce the reader to the generalsubject matter discussed here and are not intended to limit the scope ofthe disclosed concepts. The following sections describe variousadditional aspects and examples with reference to the drawings in whichlike numerals indicate like elements, and directional descriptions areused to describe the illustrative examples but, like the illustrativeexamples, should not be used to limit the present disclosure.

FIG. 1 is a diagram of a wireless communication environment 100 in whicha user device 102 can wirelessly connect to an access point 104according to one example of the present disclosure. The user device 102can establish a wireless communication link with the access point 104 toexchange data, access other networks, such as the Internet, andotherwise perform communications. The user device 102 may transmit apassword or provide some other credential to establish the wirelesslink. In other examples, no password or credential is required for theuser device 102 to establish the wireless link.

The user device 102 can store information about the access point 104 inlocal memory. Examples of the information include the communicationchannel over which the wireless communication link is established,network name for the access point 104, and MAC or other network addressfor the access point 104. The physical location of the access point 104may also be derived or received by the user device 102 and stored.

Examples of the user device 102 include a mobile telephone, a tablet PC,a laptop, and a personal digital assistant. The access point 104 canallow the user device to connect to a wired network, such as theInternet, and include or be coupled to a wireless router. In additionalexamples, the access point 104 may communicatively couple to the userdevice via a wired communication medium.

FIG. 2 is a diagram of a wireless communication environment 200 in whicha sensor device 204 can capture access point probe data from the userdevice 102 according to one example of the present disclosure. Theenvironment 200 may be subsequent in time to the environment 100 FIG. 1.The user device 102 may be wirelessly transmitting probe data to searchfor access points, such as access point 104 from FIG. 1, to which theuser device 102 has previously connected. The sensor device 204 canwirelessly detect the probe data from the user device 102 and beseparate and independent from any wireless access point or user device.

The sensor device 204 in FIG. 2 is positioned on a structure 202, whichmay be a utility pole, part of a building, a tree, or any type ofstructure that can allow the sensor device 204 to capture signals thatinclude probe data from user devices, such as user device 102, in acoverage area. The probe data can include name, network address, andpotentially other information about access points to which the userdevice 102 has previously connected. The probe data may also includeconnection information that includes data about the wirelesscommunication links previously established by the user device 102 toaccess points. Examples of probe data include SSID, Bluetooth Low-Energy(BLE) beacons, location information, time information, deviceinformation, sensor information, and site-specific information.

The sensor device 204 can capture the probe data and transmit the probedata to a computing device 210, which can be a server, through atelecommunication network 208. The computing device 210 can include orbe coupled to a database 212 that includes data with respect to whichthe probe data can be analyzed to infer or determine an attribute of theuser. By capturing probe data and analyzing the probe data with respectto stored information, network traffic and information can be used toinfer or determine attributes about users without proactively involvingthe user or access points.

The telecommunications network 208 can be a wired network, a wirelessnetwork, or a combination of one or more wired networks and wirelessnetworks. Examples of the telecommunications network 208 include acellular network, a telecommunications backhaul, a cellulartelecommunications network backhaul, a WiFi mesh network, a distributedantenna system, and an Ethernet network.

In some examples, the sensor device 204 is an access point, or is partof an access point, that can also establish a wireless communicationslink with the user device 102 to allow the user device 102 tocommunicate with a wired network. The database 212 can be a relationaldatabase, blockchains, centralized database, distributed database, andother types of databases. The database 212 can be implemented in anon-transitory computer-readable medium that includes logic and hardwarecapable of storing electronic code that represents data andrelationships between data.

FIG. 3 is a block diagram of the sensor device 204 according to oneexample of the present disclosure. The sensor device 204 includes anetwork port 302, a processor device 304, a memory device 306, and anantenna 310. The antenna 310 can be integrated with the sensor device204, or the antenna 310 can be coupled to the sensor device 204 throughan antenna port (not shown). The antenna 310 can capture signals fromuser devices that include probe data.

Also included in the sensor device 204 are a demodulator 312 and atransmitter 314. The demodulator 312 can demodulate signals captured bythe antenna 310 to extract probe data in the captured signals. Thetransmitter 314 can modulate or transmit the probe data in a propercommunication protocol through the network port 302 to atelecommunications network for receipt by a processing device. Examplesof the network port 302 include a network interface card, or physicallayer circuitry, that can allow signals to be communicated to thetelecommunications network. A sensor device according to other examplesmay not include a demodulator and instead retransmit the capturedsignals onto the telecommunications network for receipt by a processingdevice.

Non-limiting examples of the processor device 304 include aField-Programmable Gate Array (FPGA), an application-specific integratedcircuit (ASIC), a microprocessor, etc. The processor device 304 canexecute one or more operations for managing probe data capturing andtransmitting the probe data to a telecommunications network. Theprocessor device 304 can execute instructions stored in the memorydevice 306 to perform the operations. In some examples, the instructionscan include processor-specific instructions generated by a compiler oran interpreter from code written in any suitable computer-programminglanguage, such as C, C++, C#, etc.

Non-limiting examples of the memory device 306 include electricallyerasable and programmable read-only memory (EEPROM), flash memory, orany type of non-volatile memory. In some examples, at least some of thememory devices 306 can include a medium from which the processor device304 can read instructions. A computer-readable medium can includeelectronic, optical, magnetic, or other non-transitory storage devicescapable of providing the processor device 304 with computer-readableinstructions or other program code. Non-limiting examples of acomputer-readable medium include magnetic disk(s), memory chip(s), ROM,random-access memory (RAM), an ASIC, a configured processor, opticalstorage, or any other medium from which a computer processor can readinstructions.

The memory device 306 can include instructions such as a probe engine308 that can be executed by the processor device 304 for performingvarious operations in managing the sensor device 204 in capturing andtransmitting probe data. For example, the probe engine 308 can beexecuted by the processor device 304 to control the demodulator 312 andthe transmitter 314, or otherwise control when the sensor device 204captures signals that can include probe data. The probe engine 308 canalso be executed to prevent the sensor device 204 from being attacked bymalicious signals in an attempt to subvert the functions of the sensordevice 204 by instructing the sensor device 204 to filter signals froman identified source or with certain types of data. In some examples,the functions of the demodulator 312 and the transmitter 314 areimplemented as instructions in the memory device 306 that can beexecuted by the processor device 304, rather than being separatecomponents of the sensor device 204. In addition, the sensor device 204may store captured probe data in the memory device 306.

FIG. 4 is a block diagram of the computing device 210 usable to analyzecaptured access network probe data according to one example of thepresent disclosure. The computing device 210 includes a processor device402, a network port 404, and a memory device 406. Examples of theprocessor device 402 and the memory device 406 include the same orsimilar examples as the processor device 304 and the memory device 306of FIG. 3. The network port 404 may similarly be a network interfacecard, physical layer circuitry, or other type of circuitry to interfacewith a telecommunications network to receive probe data from a sensordevice. The memory device 406 can include instructions as an accesspoint data store 408 and a comparison engine 410. The access point datastore 408 may, in other examples, be implemented as a separate databaseor in a separate device than the computing device. The access point datastore 408 includes information about access points and associatedattributes collected or received from various sources, includingpreviously received probe data.

The comparison engine 410 can be executed by the processor device 402 toperform analytics on the received probe data and the information in theaccess point data store to determine an attribute. The comparison engine410 may also be executed by the processor device 402 to output alerts orinformation to a display for a user or a separate system or applicationto take action on the probe data received from the sensor device.

A sensor device according to various examples can be positioned onvarious types of structures to capture probe data from user devices.FIGS. 5 and 6 depict examples of aerial structures that can be used.FIG. 5 is a diagram of an implementation of a sensor device 502 with ablimp 504 according to one example of the present disclosure. The blimp504 can be flown to a coverage area where, for example, a concentrationof users with user devices 506 a-n are located to capture a large amountof probe data, as compared for example to a sensor device positioned ona utility pole.

FIG. 6 is a diagram of an implementation of a sensor device 602 with adrone 604 according to one example of the present disclosure. The drone604 can be flown to a coverage area where a concentration of users withuser devices 606 a-n is located to capture probe data from the userdevices 606 a-n.

FIG. 7 is a data flow diagram for a computing device in generating adata store 708 and analyzing captured probe data with respect to data inthe data store 708 according to one example of the present disclosure.The data flow can include processes performed by the computing device210 of FIG. 2, but other implementations are possible.

The computing device can generate the data store 708 with access pointdata associated with attributes in it by receiving data from one or moresources and storing the data in a manner that can be analyzed withrespect to subsequently received data. Examples of sources of datainclude previously captured probe data 702, data from third-party datasources 704, and data from manual input 706.

Previously captured probe data 702 can include data about access points,and information associated with those access points, previously capturedby a sensor device and received by the computing device. The informationassociated with those access points may include information about theuser or the user device that connected to the access points, geographicinformation about the access points. From this information, thecomputing device may be able to formulate an attribute value for anaccess point. For example, the computing device may automaticallyassociate an access point with a high security risk if enough users thatare themselves a high security risk (e.g., the computing device cancompare to a list of high security risk users) have connected to theaccess point. In other examples, the previously captured probe data maybe associated with an attribute that results from analysis of the probedata with respect to data already stored in the data store 708.

Data from third-party data sources 704 can include any type of data andcan be from any source. Examples can include government data sources andprivate enterprise sources that can include MAC addresses and physicallocation information about access points. The data may also includeattributes, such as a list of access points located in highly suspiciousphysical locations known to be frequented by users of interest. The datacan be received by any transmission protocol. Examples include receivingthe data via Internet Protocol and via a telecommunications backhaullink. In other examples, the data from the third-party data sources 704can be caused to be received by the data store 708 via an instruction byan administrator or other person that controls the data store 708.

The data from manual input 706 can be data that is received by the datastore 708 as a result of manual data input by a human, such as a personthat controls the data store 708. In some examples, the data store 708includes data that is the result of a combination of these or othersources. For example, data from third-party data sources 704 can besupplemented with data from manual input 706 to generate a comprehensivedatabase that is usable to analyze captured probe data.

The probe data from a sensor device 710 can be received by the computingdevice in process 712. The computing device can analyze the capturedprobe data with respect to data in the data store in process 714. Thecomputing device can determine an attribute to associate with thecaptured probe data by comparing the probe data to the data in the datastore 708. For example, the computing device may determine that the userdevice was connected an unusually long time to an access point and theaccess point may be located at a sensitive location—e.g., proximate toan airport, club, or other location where people congregate—and there isno reasonable explanation for why the user device was connected so longto the access point except for suspicious activity—e.g., a user that is“casing” a particular location for a bad act. In another example, thecomputing device can determine that a user device was connected tomultiple access point that, together, suggest that the user may be aboutto commit a bad act. Being connected to each access point individuallymay not suggest there is a risk with the individual, but being connectedto an access point to which bad actors (in addition to non-bad actors)are known to connect and being connected to another access point that islocated in a sensitive area may indicate that the user of the userdevice should be associated with a high risk attribute.

In some examples, the data in the data store 708 can be filtered bycertain criteria such that the captured probe data is analyzed withrespect to the filtered data, rather than the entire data store 708. Forexample, the data in the data store 708 can be filtered to result indata about access points associated with known high security risks andthe probe data can be compared against the filtered data.

The computing device, after analyzing the probe data, can output aninferred or determined user attribute in process 716. The attribute maybe outputted in the form of an alert to the proper personnel, or inbatch form in the normal course of processing. In other examples, theattribute may only alert personnel if the attribute meets certaincriteria—e.g., high risk, should be further investigated, indicates theuser has a need for a certain service or business connection, etc. Afteroutputting the alert or other result of the analysis, the computingdevice may add the probe data to the data store 708.

The foregoing description of the examples, including illustratedexamples, of the subject matter has been presented only for the purposeof illustration and description and is not intended to be exhaustive orto limit the subject matter to the precise forms disclosed. Numerousmodifications, adaptations, and uses thereof will be apparent to thoseskilled in the art without departing from the scope of this subjectmatter. The illustrative examples described above are given to introducethe reader to the general subject matter discussed here and are notintended to limit the scope of the disclosed concepts.

What is claimed is:
 1. A sensor device comprising: a networkcommunications port; a processor configured to control data communicatedthrough the network communications port; and a memory device havinginstructions that are executable by the processor to cause the sensordevice to: capture probe data from a user device about probes wirelesslytransmitted by the user device to search for wireless access points, theprobe data including (i) network addresses of the wireless access pointsto which the user device has wirelessly connected prior to attempting acurrent connection to a wireless access point by wirelessly transmittingthe probe data and (ii) connection information about wireless linksbetween the user device and the wireless access points to which the userdevice has connected prior to attempting the current connection to thewireless access point; and transmit the probe data and a user deviceidentifier to a computing device configured to compare the probe data toaccess point network addresses associated with attributes in anelectronic data store to determine an attribute for a user of the userdevice.
 2. The sensor device of claim 1, wherein the probe data includesService Set Identifiers (SSIDs) for the wireless access points to whichthe user device has previously wirelessly connected and time data fromthe connection information and that is associated with the connectionbetween the user device and the wireless access points, the wirelessaccess points being WiFi access points, wherein the user deviceidentifier is a media access control (MAC) address for the user device,wherein the attributes include relative security risks for the wirelessaccess points that are based on security threats of users previouslyidentified within coverage areas of the wireless access points or arebased on security threats associated with physical locations associatedwith the wireless access points.
 3. The sensor device of claim 2,wherein the instructions are further executable to cause the sensordevice to: designate at least one attribute as a high security risk; andanalyze the electronic data store by: identifying the access pointnetwork addresses that are associated with the high security risk;comparing the access point network addresses associated with the highsecurity risk to the probe data to determine a match of a networkaddress or a physical location to at least one access point networkaddresses that is associated with the high security risk; and outputtingan alert about the user in response to determining the match; and addthe probe data to the electronic data store as additional access pointnetwork addresses associated with the attributes.
 4. The sensor deviceof claim 1, wherein the instructions are executable by the processor tocause the sensor device to transmit the probe data and the user deviceidentifier by transmitting the probe data and the user device identifierfrom the sensor device through a cellular communications networkbackhaul for receipt by the computing device, the sensor device beingpositionable on a tower, a utility pole, or an aerial object.
 5. Thesensor device of claim 1, wherein the sensor device is separate andindependent from any wireless access point and from the user device, theattribute for the user being determinable from network activity withrespect to the wireless access points.
 6. The sensor device of claim 1,wherein the connection information includes a date and time at which theuser device connected to a wireless access point and an amount of timethat the user device connected to the wireless access point.
 7. Thesensor device of claim 1, further comprising: an antenna configured todetect wireless signals in multiple channels from the user device; ademodulator configured to demodulate the wireless signals to extract theprobe data from the wireless signals; and a transmitter configured tomodulate the probe data on signals for transmission to the computingdevice via a communications protocol different than the communicationsprotocol of the wireless signals detected by the antenna.
 8. A methodcomprising: capturing, by a sensor device, probe data from a user deviceabout probes wirelessly transmitted by the user device to search forwireless access points, the probe data including (i) network addressesof the wireless access points to which the user device has wirelesslyconnected prior to attempting a current connection to a wireless accesspoint by wirelessly transmitting the probe data and (ii) connectioninformation about wireless links between the user device and thewireless access points to which the user device has connected prior toattempting the current connection to the wireless access point; andtransmitting the probe data and a user device identifier to a computingdevice configured to compare the probe data to access point networkaddresses associated with attributes in an electronic data store todetermine an attribute for a user of the user device.
 9. The method ofclaim 8, wherein the probe data includes Service Set Identifiers (SSIDs)and physical locations for the wireless access points to which the userdevice has previously wirelessly connected and time data from theconnection information and that is associated with the connectionbetween the user device and the wireless access points, the wirelessaccess points being WiFi access points, wherein the user deviceidentifier is a media access control (MAC) address for the user device,wherein the attributes include relative security risks for the wirelessaccess points that are based on security threats of users previouslyidentified within coverage areas of the wireless access points or arebased on security threats associated with physical locations associatedwith the wireless access points.
 10. The method of claim 9, furthercomprising: designating at least one attribute as a high security risk;and analyzing the electronic data store by the computing device:identifying the access point network addresses that are associated withthe high security risk; comparing the access point network addressesassociated with the high security risk to the probe data to determine amatch of a network address or a physical location to at least one accesspoint network addresses that is associated with the high security risk;and outputting an alert about the user in response to determining thematch; and adding the probe data to the electronic data store asadditional access point network addresses associated with theattributes.
 11. The method of claim 8, wherein transmitting the probedata and the user device identifier comprises transmitting the probedata and the user device identifier from the sensor device through acellular communications network backhaul for receipt by the computingdevice, the sensor device being positioned on a tower, a utility pole,or an aerial object.
 12. The method of claim 8, wherein the sensordevice is separate and independent from any wireless access point andfrom the user device, the attribute for the user being determined fromnetwork activity with respect to the wireless access points.
 13. Themethod of claim 8, wherein the connection information includes a dateand time at which the user device connected to a wireless access pointand an amount of time that the user device connected to the wirelessaccess point.
 14. The method of claim 8, wherein capturing, by thesensor device, probe data from the user device about the probeswirelessly transmitted by the user device to search for the wirelessaccess points comprises: detecting, by an antenna of the sensor device,wireless signals in multiple channels from the user device;demodulating, by a demodulator of the sensor device, the wirelesssignals to extract the probe data from the wireless signals; and storingthe probe data electronically in a computer-readable medium of thesensor device.
 15. A non-transitory computer-readable storage mediumincluding instructions that are executable by a processor to: receiveprobe data from a user device about probes wirelessly transmitted by theuser device to search for wireless access points, the probe dataincluding (i) network addresses of the wireless access points to whichthe user device has wirelessly connected prior to attempting a currentconnection to a wireless access point by wirelessly transmitting theprobe data and (ii) connection information about wireless links betweenthe user device and the wireless access points to which the user devicehas connected prior to attempting the current connection to the wirelessaccess point; and transmit the probe data and a user device identifierto a computing device configured to compare the probe data to accesspoint network addresses associated with attributes in an electronic datastore to determine an attribute for a user of the user device.
 16. Thenon-transitory computer-readable storage medium of claim 15, wherein theprobe data includes Service Set Identifiers (SSIDs) for the wirelessaccess points to which the user device has previously wirelesslyconnected and time data from the connection information and that isassociated with the connection between the user device and the wirelessaccess points, the wireless access points being WiFi access points,wherein the user device identifier is a media access control (MAC)address for the user device.
 17. The non-transitory computer-readablestorage medium of claim 16, wherein the instructions are furtherexecutable to: designate at least one attribute as a high security risk;and analyze the electronic data store by: identifying the access pointnetwork addresses that are associated with the high security risk;comparing the access point network addresses associated with the highsecurity risk to the probe data to determine a match of a networkaddress or a physical location to at least one access point networkaddresses that is associated with the high security risk; and outputtingan alert about the user in response to determining the match; and addthe probe data to the electronic data store as additional access pointnetwork addresses associated with the attributes.
 18. The non-transitorycomputer-readable storage medium of claim 15, wherein the instructionsare executable to determine or infer the attribute for the user based onnetwork activity detected by a sensor device that is separate andindependent from any wireless access point and from the user device. 19.The non-transitory computer-readable storage medium of claim 15, whereinthe instructions are further executable to: demodulate wireless signalsin multiple channels received from the user device to extract the probedata from the wireless signals; and modulate the probe data onto signalstransmitted to the computing device.
 20. The non-transitorycomputer-readable storage medium of claim 19, wherein the instructionsare further executable to transmit modulated signals including probedata to a cellular communications network for receipt by the computingdevice.